[GRASS5] [bug #4281] (grass) Init.sh: security issue with the PATH

this bug's URL: http://intevation.de/rt/webrt?serial_num=4281
-------------------------------------------------------------------------

Subject: Init.sh: security issue with the PATH

Hi,

If you haven't set $GRASS_ADDON_PATH, then the path statement in Init.sh
includes "./" in the path.

e.g.
unset GRASS_ADDON_PATH

#Init.sh
PATH=$GISBASE/bin:$GISBASE/scripts:$GRASS_ADDON_PATH:$PATH

translates to

PATH=$GISBASE/bin:$GISBASE/scripts::$PATH

now the "::" part acts like ":./:" which is a security risk -- if someone
dumps a nasty script called "ls" in your home dir, bad times may ensue.

better:

if [ -n "$GRASS_ADDON_PATH" ] ; then
   PATH="$GISBASE/bin:$GISBASE/scripts:$GRASS_ADDON_PATH:$PATH"
else
   PATH="$GISBASE/bin:$GISBASE/scripts:$PATH"
fi

??

or if [ -d "$GRASS_ADDON_PATH" ] ; then
??

Hamish

-------------------------------------------- Managed by Request Tracker